PDA

View Full Version : Digital Signing - Post build MSI modify



Christoph
10-01-2009, 10:30 AM
I have a basic msi project builded in IS2008.
in the signing TAB of the releases view, I define all the necessary information for digitally signing my setup.exe and foo.msi file.

Inspecting those, they seem to be signed correctly.

However... in our buildprocess, I need to modify the msi with some post-scripting and this seems to 'reset' the digital signing[see screenshot]

Any idea what I can do about this?

If I have a little think, I should probably re-sign the msi after modifying the msi... but:

Which tool should I use for this? SignCode or SignTool?


What is the difference between those 2 tools?


Any idea which commandlines I should pass when I want the same behaviour as signing from within the IDE?

gbaltazar
10-01-2009, 02:33 PM
I have a basic msi project builded in IS2008.
in the signing TAB of the releases view, I define all the necessary information for digitally signing my setup.exe and foo.msi file.

Inspecting those, they seem to be signed correctly.

However... in our buildprocess, I need to modify the msi with some post-scripting and this seems to 'reset' the digital signing[see screenshot]

Any idea what I can do about this?

If I have a little think, I should probably re-sign the msi after modifying the msi... but:

Which tool should I use for this? SignCode or SignTool?


What is the difference between those 2 tools?


Any idea which commandlines I should pass when I want the same behaviour as signing from within the IDE?


Modifying the MSI post-signing will invalidate the digital signature. You will definitely need to re-sign. SignCode or Signtool will work just fine, just depends on whether you prefer to use pvk files versus pfx files...